Thread Info
  • Locked Locked
  • Replies 2 replies
  • Subscribers 4 subscribers
  • Views 2325 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 and SMC 5.x Client Sync Issue

EMDEE

I've setup and published our SMC server via UTM 9 Webserver Protection.  Both "SMC Admin Web-Console" and "Self Service Portal" are accessible from the Internet and working fine.  However, if you try to sync SMC Control app through either 3/4G or Home Wifi I get a sync issue with the following error displaying:

 

The SOPHOS Mobile Control client could not be synchronized. Communication error 2033..."  I searched and found out that the error 2033 has something to do with the SMC 5.x and up new security feature to prevent Man-in-the-middle attack, so a certificate pinning has been implemented. 

To verify that whether the problem is on the SMC or UTM, I've tried synching internally and sure enough it synchronized successfully.

This tells me that there's nothing wrong with SMC setup but could some how be at the UTM side when it tries to reverse proxy the external client request to connect to our SMC Server.

 

Is this configuration issue on the UTM? If yes, what's the correct way to configure this so that I don't get the Communication error 2033?

Or is this a known bug/limitation with regard to integration between UTM 9 and SMC 5.x

By the way, when I synched successfully from our internal network connection, I was using Wifi that is managed by UTM and I had SMC enabled on the UTM and tested it to be connecting OK.

---

I have this feeling that "certificate pinning" may be having issues with the SMC domain name having a private IP (internal) address and public IP (external) address.  Might need to read

 



This thread was automatically locked due to age.

  • Hi, Mike, and welcome to the UTM Community!

    I suspect that your final observation is your problem.  What do you see in the SMC and Web Application Firewall logs when this error occurs?

    Have you posted on this in the SMC forum?

    Cheers - Bob

  • in reply to BAlfson

    Thanks for the comment Bob.  SMC logs reveals an error that gave me an idea for a workaround.  I found an error: "Certificate hash does not match"

    Then it occurred to me that the UTM is acting as "A Man-in-the-middle" and causing a Certificate hash mismatch, perhaps?

    So I did a little experiment and exported the certificate from the UTM to the SMC.

    Then I synchronised the mobile-client from the local wifi network (direct connection to SMC with no reverse proxy)

    After that I turned off the mobile-client wifi and used the 3/4G connection. Then I re-synchronised again, and lucky enough it worked!

    Did the same again on another mobile-client and it worked like a charm.

    So this little workaround saved my bacon, and staff with smartphone are happily working again.